5.Remote-file-inclusion-rfi

Key Takeaways:

  • RFI vs. LFI:

    • RFI allows including remote files, while LFI includes local files.

    • RFI often implies LFI, but not vice versa.

    • RFI enables SSRF and remote code execution.

  • Vulnerable Functions:

    • Functions like include(), file_get_contents(), and others can be vulnerable.

    • The table provided is a good reference.

  • Verification of RFI:

    • Checking allow_url_include in PHP is a start.

    • Testing with a local URL (e.g., http://127.0.0.1) is crucial.

    • Testing to see if the included file is executed, or just displayed is also very important.

  • Remote Code Execution:

    • Creating a malicious script (e.g., a PHP web shell).

    • Hosting the script on a remote server.

    • Including the script through the RFI vulnerability.

  • Hosting Methods:

    • HTTP:

      • Using Python's http.server module.

      • Common and straightforward.

    • FTP:

      • Using Python's pyftpdlib.

      • Useful for bypassing certain firewalls or WAFs.

      • Authentication within the URL is covered.

    • SMB:

      • Using Impacket's smbserver.py.

      • Specifically for Windows servers.

      • Utilizing UNC paths.

      • Important to note that this is more reliable on internal networks.

Additional Considerations:

  • Security Implications:

    • RFI is a severe vulnerability that can lead to complete server compromise.

    • Disabling remote URL inclusion is a critical security measure.

  • WAF Bypasses:

    • Attackers may use encoding, obfuscation, or different protocols to bypass WAFs.

    • It is very important to test many different protocols.

  • SSRF Exploitation:

    • RFI can be combined with SSRF to access internal services and resources.

    • The referenced Server-Side Attacks module is important.

  • Real-World Scenarios:

    • Attackers often combine RFI with other vulnerabilities for greater impact.

    • Attackers will often use reverse shells instead of simple web shells.

  • Defense in Depth:

    • Proper input validation and sanitization are essential.

    • Network segmentation and firewalls can limit the impact of RFI.

    • Keeping software up to date is very important.

  • Protocol Diversity:

    • The demonstration of HTTP, FTP, and SMB highlights the importance of understanding various protocols.

    • Attackers may use less common protocols to evade detection.

Previous4.PHP-wrappersNext6.LFI-and-file-uploads

Last updated